[Freeipa-users] Reverse DNS and Forwarding

Martin Basti mbasti at redhat.com
Wed Jul 15 13:47:56 UTC 2015 

On 15/07/15 15:07, Nevada Sanchez wrote:
> On Wednesday, July 15, 2015, Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>> wrote:
>
>     On 14/07/15 19:12, Nevada Sanchez wrote:
>>     I have FreeIPA setup as our primary DNS on an AWS VPC. I setup
>>     global forwarding ('Forward First') so that it will forward
>>     queries to Amazon's DNS, and then fall back on IPA if it doesn't
>>     see a hit.
>>
>>     This works perfectly fine for forward DNS lookups:
>>
>>     $ # This host does not exist on FreeIPA, but does on Amazon DNS
>>     $ host ip-10-0-6-17.ec2.internal
>>     ip-10-0-6-17.ec2.internal has address 10.0.6.17
>>
>>     However,  for reverse lookups, it doesn't seem to get forwarded
>>
>>     $ # Same host, reverse lookup fails at FreeIPA
>>     $ host 10.0.6.17
>>     Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
>>
>>     $ # Explicitly forwarding to Amazon DNS, reverse lookup works
>>     $ host 10.0.6.17 10.0.0.2
>>     Using domain server:
>>     Name: 10.0.0.2
>>     Address: 10.0.0.2#53
>>     Aliases:
>>     17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal.
>>
>>     Please help. Thanks!
>>
>>     -- 
>>     *Nevada Sanchez*
>>     Co-Founder, ASIC Design Team Lead
>>     <http://www.butterflynetinc.com/>
>>     tel: 203.689.5650 x314 | mobile: 775.863.8726
>>     Come join us <http://www.4combinator.com/#opportunities> and put
>>     a dent in the universe!
>>
>>
>     Hello, do you have any reverse zones configured on IPA DNS? (with
>     suffix 10.in-addr.arpa)?
>
>     -- 
>     Martin Basti
>
> Yes.
>
>
> -- 
> *Nevada Sanchez*
> Co-Founder, ASIC Design Team Lead
> <http://www.butterflynetinc.com/>
> tel: 203.689.5650 x314 | mobile: 775.863.8726
> Come join us <http://www.4combinator.com/#opportunities> and put a 
> dent in the universe!
>
Do you have configured proper delegation via NS records to subzones of 
10.in-addr.arpa. on IPA DNS?
Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to 
Amazon DNS?

Please notice that forward first doesn't mean that the forwarder will be 
contacted first, then fallback to IPA.
Forward first means if there is no authoritative zone in IPA server, 
query will be forwarded to forwarder, if forwarder doesn't return the 
answer, then recursive search (if allowed) will be used from root zone.
You have 10.in-addr.arpa. zone configured, so it is authoritative zone 
for 17.6.0.10.in-addr.arpa. query, and you will get the authoritative 
answer NXDOMAIN, there is no need for forwarding.
You need to add an delegation
ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa. --ns-rec=amazon.dns.

HTH

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150715/5664f354/attachment.htm>

More information about the Freeipa-users mailing list